Main Area and Open Discussion > Living Room

Computer science student expelled for testing university software security

<< < (3/22) > >>

Renegade:
Hey, did that student pay for his license?

http://www.acunetix.com/ordering/

Acumotherkillerservertrixiephant Seems a bit beyond student budgets... :P

Maybe he should be crucified for that too!

(Just kidding! The university probably has licensing to cover students. Meh? What the heck! Let's have a good old fashioned lynching! :P )

Maybe ethics courses or legal courses should be included in first year university? ;)

f0dder:
From my sysadmin perspective all I can say is: A predictable and avoidable outcome.  I'm hardly surprised at the response.  Nor should he be.-40hz (January 21, 2013, 10:42 AM)
--- End quote ---
Agreed.

If you don't have a (written) agreement with your target, you're not pentesting - you're hacking.

Is it piss-poor behavior from the uni? Yes. But if you're not going to play by the rules (which might very well be necessary sometimes, whistleblowing incompetent lying bastards comes to mind), you'll have to expect unfavorable outcomes.

Which is why you run such scans from a VM on a laptop with a faked MAC address, through TOR on a public WiFi.

Stoic Joker:
Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.

wraith808:
All I'm responding to is the fact of it being illegalThe difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.
-Josh (January 21, 2013, 10:35 AM)
--- End quote ---

All I'm saying is saying it was illegal, then using said threat to make him sign an NDA wasn't right by any means.  It's not illegal in and of itself, and trying to prosecute him for such would be legal handwaving.  Not saying a prosecutor wouldn't do it, but that's what it would be.

40hz:
Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.
-Stoic Joker (January 21, 2013, 12:03 PM)
--- End quote ---

Here's the thing...a university's computer is *NOT* just sitting there for purely educational purposes - or for the students. Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.

So when some undergrad decides that such a system is his personal playground where everything that happens on it should be purely for his own personal education and experience....well...I have a little trouble dealing with that level of hubris and selfishness.

Running a penetration test (even a white-hat one) sets off alarms, gets the sysadmins steppin' & fetchin' - and sometimes puts outside contracts or internal operations in jeopardy. Especially if the DoD or financial institutions are involved. Disclosure statements to be filed, audits to be performed, re-certifications needed in some cases, and occasionally data or contracts lost, plus a hit to your reputation and a signal to potential hackers that this is a facility worth targeting...all of these things come at a price. And to just say "Well...I'm just a student and I was trying to learn something." doesn't cut it in this context.

One unfortnate thing I'm seeing more and more with the upcoming generation is how many have consciously or subconsciously embraced the notion that "it's easier to ask for forgiveness than to get permission." Almost like life comes with a reset or "new game" button. Well guess what? It doesn't. It's called reality. Welcome to Life-101.

And one of the first lessons learned in Life-101 is that just because you say "you're sorry" and "didn't mean anything by it" doesn't automatically absolve you of the consequences of your actions.

In this day of virtual machines and lab setups there are safer and better ways to become educated in network intrusion than to perform an unauthorized 'run' on a live production system. Doing that is just flat out unacceptable.

In this particular student's case, it was great that he discovered and reported a security problem. And I see he received kudos and full props for it. But going back in after the fact to "verify" the fix had been made? I'd be suspicious too.

I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive. However, please note that the headlines are somewhat misleading too. He wasn't expelled for identifying a security issue. He was expelled for going back afterwards and running an unauthorized scan using Acunetix. That's a very different thing than implying that he merely identified a security hole - and then got promptly expelled from his college by way of a thank-you as some news sources are seeming to say.

Navigation

[0] Message Index

[#] Next page

[*] Previous page